Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
2
Replies

AutZ Policy - Multi Domain

Xividar
Level 1
Level 1

‎10-13-2020 07:04 AM

Hi Folks,

I am running a POC with x3 Domains. The hierarchy is; lab.domain - as my parent - and d1.lab.domain and d2.lab.domain as my child domains. If I log in to a workstation on d1 or d2 with a user from the parent domain, I have to use domain\username to log in before the ISE AuthZ policy is hit. If I try to use username@lab.domain the AuthZ policy is ignored. 

Is there any way to prevent this behaviour - ideally, I don't want to have to burden a user with having to use FQDNs.

Thanks a lot

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎10-13-2020 01:40 PM

@Xividar - do you have trust relationships between the parent domain and the two children domains?

When you joined ISE to Active Directory, did you join using the parent domain?

 

I was under the impression that if you had 2-way trust between all the domains, and, if you joined ISE at the top level domain, then ISE would be able to search without having to qualify the full domain. It might offer the solution.

0 Helpful

Xividar
Level 1
Level 1
In response to Arne Bier

‎10-13-2020 02:03 PM - edited ‎10-13-2020 02:05 PM

Hi Arne,

Yes, the Parent trusts both the Child domains, and both Child domains trust the Parent.

I initially joined my Parent domain to ISE , I then added the Child domains later on - all domains are whitelisted.

Okay, good point. You got my wheels turning. If d1.lab.domain is using NTDS to find it's closest DC, it's always going to be the d1.lab.domain DC, now, within ISE, I didn't import any SID groups from the Parent domain in to d1.lab.domain, so my particular AuthZ rule was no longer hitting that particular AuthZ entry - although I'm not sure why d2.lab.domain and lab.domain were not queried. Anyway... I added the SID group to d1.lab.domain and works without any FQDN .

Now I am wondering about your statement "if you joined ISE at the top level domain, then ISE would be able to search" I will try this, and then import the SIDs for d1.lab.domain and d2.lab.domain - I will try that tomorrow though, as it's now getting late.

Thanks for your help

0 Helpful
Customers Also Viewed These Support Documents